@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Internet Explorer Vulnerability
• (2) HIGH: Microsoft Tuesday Patches for Multiple Products
• (3) MEDIUM: Google Chrome Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 10.51.1 - Microsoft Windows "Win32k.sys" Local Privilege Escalation
• 10.51.2 - Microsoft Windows Kernel NDProxy Local Privilege Escalation
• 10.51.3 - Microsoft Hyper-V VMBus Denial of Service
• 10.51.4 - Microsoft Windows BranchCache DLL Loading Arbitrary Code Execution
• 10.51.5 - Microsoft "Netlogon" RPC Null Pointer Dereference Remote Denial of Service
• 10.51.6 - Microsoft Windows OpenType Font Driver CMAP Table Remote Code Execution
• 10.51.7 - Microsoft Windows Consent User Interface Registry Key Local Privilege Escalation

Microsoft Office

• 10.51.8 - Microsoft Office TIFF Image Converter Heap-Based Buffer Overflow

Other Microsoft Products

• 10.51.9 - Microsoft Internet Explorer Cross-Domain Information Disclosure
• 10.51.10 - Microsoft Exchange Server 2007 Infinite Loop Remote Denial of Service
• 10.51.11 - Microsoft Publisher Size Value Heap Memory Corruption Remote Code Execution
• 10.51.12 - Microsoft Internet Explorer Cross-Domain Information Disclosure
• 10.51.13 - Microsoft SharePoint Malformed SOAP Request Remote Code Execution

Third Party Windows Apps

• 10.51.14 - FreeAmp ".m3u" File Buffer Overflow
• 10.51.15 - Symantec Antivirus "hndlrsvc.exe" Denial of Service
• 10.51.16 - SAP Crystal Reports Print ActiveX Control Buffer Overflow
• 10.51.17 - SAP NetWeaver Business Client ActiveX Control Multiple Remote Code Execution Vulnerabilities

Novell

• 10.51.18 - Novell ZENworks Desktop Management "ZenRem32.exe" Buffer Overflow

Cross Platform

• 10.51.19 - Mozilla Firefox and SeaMonkey Java LiveConnect Script Security Bypass
• 10.51.20 - Adobe Photoshop Multiple Unspecified Security Vulnerabilities
• 10.51.21 - ISC DHCP Server Failover Peer Port Field Denial of Service
• 10.51.22 - Avaya Aura Application Enablement Services Security Bypass
• 10.51.23 - IBM Rational ClearQuest ".ocx" Files Unspecified Security Vulnerabilities
• 10.51.24 - Cobbler "cobblerd" Insecure File Permissions
• 10.51.25 - D-Bus Nested Variants Denial of Service
• 10.51.26 - ISC BIND 9 DNSSEC Validation Remote Denial of Service
• 10.51.27 - HP StorageWorks Hidden Admin User Unauthorized Access
• 10.51.28 - Google Chrome prior to 8.0.552.224 Multiple Security Vulnerabilities
• 10.51.29 - BlackBerry Attachment Service PDF Distiller Remote Buffer Overflow
• 10.51.30 - echoping Multiple Remote Buffer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 10.51.31 - IBM Lotus Mobile Connect Unspecified Cross-Site Scripting Vulnerabilities
• 10.51.32 - Cetera eCommerce "banner.php" Cross-Site Scripting
• 10.51.33 - Snitz Forums 2000 "members.asp" SQL Injection and Cross-Site Scripting Vulnerabilities
• 10.51.34 - IBM ENOVIA "emxFramework.FilterParameterPattern" Cross-Site Scripting

Web Application

• 10.51.35 - slickMsg "url" Value HTML Injection
• 10.51.36 - PHP LiteSpeed SAPI Arbitrary Code Execution

Network Device

• 10.51.37 - Clear iSpot/Clearspot "cgi-bin/webmain.cgi" Cross-Site Request Forgery

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 51, 2010

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10680 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 10.51.1 - CVE: CVE-2010-3941, CVE-2010-3940, CVE-2010-3944,CVE-2010-3943, CVE-2010-3942
• Platform: Windows
• Title: Microsoft Windows "Win32k.sys" Local Privilege Escalation
• Description: The 'Win32k.sys' kernel mode device driver provides various functions, such as the window manager, collection of user input, screen output and the Graphics Device Interface; it also serves as a wrapper for DirectX support. Microsoft Windows is exposed to a local privilege escalation issue that occurs in the "Win32k.sys" Windows kernel mode device driver.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-098.mspx

• 10.51.2 - CVE: CVE-2010-3963
• Platform: Windows
• Title: Microsoft Windows Kernel NDProxy Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel. Specifically, a buffer overflow can occur in the "Routing and Remote Access" component of Windows kernel because it fails to properly validate input passed from user mode to the kernel.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-099.mspx

• 10.51.3 - CVE: CVE-2010-3960
• Platform: Windows
• Title: Microsoft Hyper-V VMBus Denial of Service
• Description: Microsoft Hyper-V is a hypervisor based technology used to provide a virtualization platform. Microsoft Hyper-V is exposed to a local denial of service issue that occurs because the software fails to properly validate specially encapsulated packets sent to the Hyper-V VMBus from a guest virtual machine. Microsoft Hyper-V Server 2008 and Microsoft Hyper-V Server 2008 R2 are also affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-102.mspx

• 10.51.4 - CVE: CVE-2010-3966
• Platform: Windows
• Title: Microsoft Windows BranchCache DLL Loading Arbitrary Code Execution
• Description: Microsoft Windows is an operating system. BranchCache is a wide area network bandwidth optimization technology. Microsoft Windows is exposed to an issue that lets attackers execute arbitrary code. The issue arises because Windows searches for a Dynamic Link Library file, used by BranchCache, in the current working directory. Successful exploits will result in a compromise in the context of the currently logged in user.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-095.mspx

• 10.51.5 - CVE: CVE-2010-2742
• Platform: Windows
• Title: Microsoft "Netlogon" RPC Null Pointer Dereference Remote Denial of Service
• Description: Microsoft Windows is exposed to a remote denial of service issue that occurs because of a NULL pointer dereference error in the "Netlogon" RPC service.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-101.mspx

• 10.51.6 - CVE: CVE-2010-3959, CVE-2010-3956, CVE-2010-3957
• Platform: Windows
• Title: Microsoft Windows OpenType Font Driver CMAP Table Remote Code Execution
• Description: OpenType is a font format developed by Microsoft and Adobe. Microsoft Windows is exposed to a remote code execution issue that affects the OpenType Font driver.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-091.mspx

• 10.51.7 - CVE: CVE-2010-3961
• Platform: Windows
• Title: Microsoft Windows Consent User Interface Registry Key Local Privilege Escalation
• Description: Microsoft Windows is exposed to a local privilege escalation issue that occurs in Consent User Interface. Specifically, Consent User Interface fails to properly process a certain value set in the registry.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-100.mspx

• 10.51.8 - CVE: CVE-2010-3947, CVE-2010-3949, CVE-2010-3950, CVE-2010-3951,CVE-2010-3952, CVE-2010-3946
• Platform: Microsoft Office
• Title: Microsoft Office TIFF Image Converter Heap-Based Buffer Overflow
• Description: Microsoft Office is exposed to a remote heap-based buffer overflow issue because the software fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling Tagged Image File Format (TIFF) image files.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-105.mspx

• 10.51.9 - CVE: CVE-2010-3342
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to a cross-domain information disclosure issue because it fails to properly enforce the same origin policy.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx

• 10.51.10 - CVE: CVE-2010-3937
• Platform: Other Microsoft Products
• Title: Microsoft Exchange Server 2007 Infinite Loop Remote Denial of Service
• Description: Microsoft Exchange Server is an email server for Microsoft Windows. The application is exposed to a remote denial of service issue that occurs because the Exchange Server store fails to properly handle crafted RPC requests. Microsoft Exchange Server 2007 Service Pack2 for x64-based systems is affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-106.mspx

• 10.51.11 - CVE: CVE-2010-2569, CVE-2010-2570, CVE-2010-3954,CVE-2010-2571, CVE-2010-3955
• Platform: Other Microsoft Products
• Title: Microsoft Publisher Size Value Heap Memory Corruption Remote Code Execution
• Description: Microsoft Publisher is a desktop publishing application. Microsoft Publisher is exposed to a remote code execution issue. Specifically, heap-based memory may become corrupted when the application parses a certain size value in a Publisher file. This issue occurs in the "pubconv.dll" Dynamically Linked Library.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-103.mspx

• 10.51.12 - CVE: CVE-2010-3348, CVE-2010-3342, CVE-2010-3340,CVE-2010-3345, CVE-2010-3346, CVE-2010-3343
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Cross-Domain Information Disclosure
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to a cross-domain information disclosure issue because it fails to properly enforce the same origin policy.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-090.mspx

• 10.51.13 - CVE: CVE-2010-3964
• Platform: Other Microsoft Products
• Title: Microsoft SharePoint Malformed SOAP Request Remote Code Execution
• Description: Microsoft SharePoint is an integrated server application providing content management and search capabilities. Microsoft SharePoint is exposed to a remote code execution issue because the Document Conversions Launcher Service fails to properly validate SOAP requests from the Document Conversions Load Balancer Service.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-104.mspx

• 10.51.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: FreeAmp ".m3u" File Buffer Overflow
• Description: FreeAmp is an mp3 player available for Microsoft Windows. FreeAmp is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted "m3u" playlist file. FreeAmp version 2.0.7 is affected.
• Ref: http://www.securityfocus.com/bid/45358

• 10.51.15 - CVE: CVE-2010-3268
• Platform: Third Party Windows Apps
• Title: Symantec Antivirus "hndlrsvc.exe" Denial of Service
• Description: Symantec Antivirus is an antivirus application. Symantec Antivirus is exposed to a remote denial of service issue that affects the Intel Alert Handler service ("hndlrsvc.exe").The issue is caused by a failure to correctly process the "CommandLine" field in an AMS request. Symantec Antivirus Corporate Edition version 10.1.4.4010 is affected.
• Ref: http://www.coresecurity.com/content/symantec-intel-handler-service-remote-dos%5D

• 10.51.16 - CVE: CVE-2010-2590
• Platform: Third Party Windows Apps
• Title: SAP Crystal Reports Print ActiveX Control Buffer Overflow
• Description: SAP Crystal Reports Print ActiveX control is a component that allows users to view crystal reports. SAP Crystal Reports is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Crystal Reports 2008 SP3 Fix Pack 3.2 Print ActiveX version 12.3.2.753 is affected.
• Ref: http://secunia.com/secunia_research/2010-135/

• 10.51.17 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SAP NetWeaver Business Client ActiveX Control Multiple Remote Code Execution Vulnerabilities
• Description: SAP NetWeaver Business Client SapThemeRepository ("sapwdpcd.dll") ActiveX control is an application for implementing custom themes. SAP NetWeaver Business Client SapThemeRepository ActiveX control is exposed to multiple remote code execution issues.
• Ref: http://support.microsoft.com/kb/240797

• 10.51.18 - CVE: Not Available
• Platform: Novell
• Title: Novell ZENworks Desktop Management "ZenRem32.exe" Buffer Overflow
• Description: Novell ZENworks Desktop Management is a framework for managing desktop workstations in enterprise environments. Novell ZENworks Desktop Management is exposed to a buffer overflow issue that affects the "ZenRem32.exe" service, which listens on TCP port 1761 by default. Novell ZENworks 7 Desktop Management version 7 SP1 is affected.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-284/

• 10.51.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla Firefox and SeaMonkey Java LiveConnect Script Security Bypass
• Description: Firefox is a web browser. SeaMonkey is a suite of applications that includes a browser and an email client. Both applications are available for multiple platforms. Mozilla Firefox and SeaMonkey are exposed to a security bypass issue that occurs when a Java LiveConnect script is loaded via a data:URL which redirects through meta refresh. Firefox version 3.6.13, 3.5.16 and SeaMonkey version 2.0.11 are affected.
• Ref: http://www.mozilla.org/security/announce/2010/mfsa2010-79.html

• 10.51.20 - CVE: Not Available12.0.2 are affected.
• Platform: Cross Platform
• Title: Adobe Photoshop Multiple Unspecified Security Vulnerabilities
• Description: Adobe Photoshop is an application that allows users to view and edit various graphic formats. The application is exposed to multiple unspecified issues. Adobe Photoshop versions prior to CS5
• Ref: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4893

• 10.51.21 - CVE: CVE-2010-3616
• Platform: Cross Platform
• Title: ISC DHCP Server Failover Peer Port Field Denial of Service
• Description: ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent. The application is exposed to a denial of service issue as the server may become unresponsive if a TCP connection is established to it on a failover peer port. ISC DHCP Server version 4.2 is affected.
• Ref: https://www.isc.org/software/dhcp/advisories/cve-2010-3616

• 10.51.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Avaya Aura Application Enablement Services Security Bypass
• Description: Avaya Aura Application Enablement Services is used in unified communications and contact center solutions. Avaya Aura is exposed to a security bypass issue that occurs because of a flaw in AES OAM web interface. Avaya Aura Application Enablement Services versions 4.x.x are affected.
• Ref: https://support.avaya.com/css/P8/documents/100121813

• 10.51.23 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Rational ClearQuest ".ocx" Files Unspecified Security Vulnerabilities
• Description: IBM Rational ClearQuest is an application for managing software development. The application is exposed to multiple unspecified issues related to six third-party ".ocx" files bundled with the installation. IBM Rational ClearQuest versions prior to 7.0.1.11, 7.1.1.4, and 7.1.2.1 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM01811

• 10.51.24 - CVE: CVE-2010-4512
• Platform: Cross Platform
• Title: Cobbler "cobblerd" Insecure File Permissions
• Description: Cobbler is a network installation and update server. Cobbler is exposed to an insecure file permissions issue. Specifically, this issue occurs because the "cobblerd" daemon implements a umask of "0" which creates world-writable files in the "tftpboot/pxelinux.cfg/" directory. This issue occurs when executing the sync command of the application. Cobbler versions prior to 2.0.4 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=554567

• 10.51.25 - CVE: Not Available
• Platform: Cross Platform
• Title: D-Bus Nested Variants Denial of Service
• Description: D-Bus is an IPC (Inter-Process Communication) system for applications to talk to one another. D-Bus is exposed to a local denial of service issue because the software fails to handle messages containing nested variants. D-BUS versions 1.4.0 and 1.2.24 are affected.
• Ref: http://www.remlab.net/op/dbus-variant-recursion.shtml

• 10.51.26 - CVE: CVE-2010-3762
• Platform: Cross Platform
• Title: ISC BIND 9 DNSSEC Validation Remote Denial of Service
• Description: ISC BIND (Berkley Internet Domain Name) is an implementation of DNS protocols. ISC BIND is exposed to a remote denial of service issue because the software fails to handle certain bad signatures in a DNS query. BIND versions prior to 9.7.2-P2 are affected.
• Ref: http://ftp.isc.org/isc/bind9/9.7.2-P2/RELEASE-NOTES-BIND-9.7.2-P2.html

• 10.51.27 - CVE: Not Available
• Platform: Cross Platform
• Title: HP StorageWorks Hidden Admin User Unauthorized Access
• Description: HP StorageWorks is a storage array solution. The device is exposed to an unauthorized access issue because of a default and hidden administrative account, with the username "admin" and the password "!admin". HP StorageWorks MSA2000 G3 is affected.
• Ref: http://www.securityfocus.com/archive/1/515196

• 10.51.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome prior to 8.0.552.224 Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple issues. Attackers may exploit these issues to execute arbitrary code in the context of the browser or cause denial of service. Other attacks are also possible. Chrome versions 8.x prior to 8.0.552.224 are affected.
• Ref: http://googlechromereleases.blogspot.com/2010/12/stable-beta-channel-updates_13.
  html

• 10.51.29 - CVE: CVE-2010-2602
• Platform: Cross Platform
• Title: BlackBerry Attachment Service PDF Distiller Remote Buffer Overflow
• Description: BlackBerry Attachment Service is a component of the BlackBerry Enterprise Server and BlackBerry Professional Software; it is used to process email attachments. BlackBerry Enterprise Server provides a wireless connectivity platform for sending and receiving a variety of data from wireless devices such as smart phones. BlackBerry Attachment Service is exposed to a buffer overflow issue when the service's PDF distiller processes specially crafted PDF files.
• Ref: http://www.blackberry.com/btsc/dynamickc.do?externalId=KB24761&sliceID=1&
  ;command=show&forward=nonthreadedKC&kcId=KB24761#

• 10.51.30 - CVE: Not Available
• Platform: Cross Platform
• Title: echoping Multiple Remote Buffer Overflow Vulnerabilities
• Description: echoping is an application used to test the performance of a remote host. echoping is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. echoping version 6.0.2 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606808

• 10.51.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Lotus Mobile Connect Unspecified Cross-Site Scripting Vulnerabilities
• Description: Lotus Mobile Connect is IBM VPN security software for wireless and wired network connections. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input passed via unspecified parameters to the HTTP-AS in the Connection Manager. IBM Lotus Mobile Connect versions prior to 6.1.4 are affected.
• Ref: http://www.securityfocus.com/bid/45361

• 10.51.32 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Cetera eCommerce "banner.php" Cross-Site Scripting
• Description: Cetera eCommerce is a website creation, management and development software kit. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "bannerId" parameter of the "cms/templates/banner.php" script. Cetera eCommerce version 14.0 is affected.
• Ref: http://www.securityfocus.com/bid/45374

• 10.51.33 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Snitz Forums 2000 "members.asp" SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Snitz Forums 2000 is a web-based application implemented in ASP. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. Snitz Forums 2000 version 3.4.07 is affected.
• Ref: http://forum.snitz.com/forum/topic.asp?TOPIC_ID=69770

• 10.51.34 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM ENOVIA "emxFramework.FilterParameterPattern" Cross-Site Scripting
• Description: IBM ENOVIA is lifecycle management software. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. This issue is related to the "emxFramework.FilterParameterPattern" property. IBM ENOVIA version 6 is affected.
• Ref: http://www.securityfocus.com/bid/45391

• 10.51.35 - CVE: Not Available
• Platform: Web Application
• Title: slickMsg "url" Value HTML Injection
• Description: slickMsg is a web-based forum/bulletin board. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied input to the "url" value of an unspecified script. slickMsg version 0.7-alpha is affected.
• Ref: http://www.securityfocus.com/bid/45376

• 10.51.36 - CVE: Not Available
• Platform: Web Application
• Title: PHP LiteSpeed SAPI Arbitrary Code Execution
• Description: PHP LiteSpeed SAPI is a PHP server API application. PHP LiteSpeed SAPI is exposed to an issue that lets attackers execute arbitrary code because it fails to sufficiently sanitize user-supplied input. PHP LiteSpeed SAPI version 5.4 is affected.
• Ref: http://www.securityfocus.com/archive/1/515168

• 10.51.37 - CVE: CVE-2010-4507
• Platform: Network Device
• Title: Clear iSpot/Clearspot "cgi-bin/webmain.cgi" Cross-Site Request Forgery
• Description: Clear iSpot and Clearspot are portable 4G devices. Clear iSpot and Clearspot are exposed to a cross-site request forgery issue because the devices do not properly validate user-supplied requests.
• Ref: http://www.securityfocus.com/archive/1/515178

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/